CVE-2026-53090
Received Received - Intake
BPF ld_{abs,ind} Instruction Handling Fix in Linux Kernel

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix ld_{abs,ind} failure path analysis in subprogs Usage of ld_{abs,ind} instructions got extended into subprogs some time ago via commit 09b28d76eac4 ("bpf: Add abnormal return checks."). These are only allowed in subprograms when the latter are BTF annotated and have scalar return types. The code generator in bpf_gen_ld_abs() has an abnormal exit path (r0=0 + exit) from legacy cBPF times. While the enforcement is on scalar return types, the verifier must also simulate the path of abnormal exit if the packet data load via ld_{abs,ind} failed. This is currently not the case. Fix it by having the verifier simulate both success and failure paths, and extend it in similar ways as we do for tail calls. The success path (r0=unknown, continue to next insn) is pushed onto stack for later validation and the r0=0 and return to the caller is done on the fall-through side.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53090
EUVD
EUVD-2026-38958
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel *
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's BPF (Berkeley Packet Filter) subsystem, specifically related to the handling of ld_{abs,ind} instructions within subprograms.

The issue arises because the verifier does not properly simulate the failure path when loading packet data using ld_{abs,ind} instructions. These instructions were extended to be used in subprograms only if those subprograms are BTF annotated and have scalar return types.

The code generator has an abnormal exit path from legacy cBPF times where r0 is set to 0 and the program exits. While enforcement exists for scalar return types, the verifier must also simulate both success and failure paths of the load instruction, but it currently only simulates the success path.

The fix involves having the verifier simulate both the success path (where r0 is unknown and execution continues) and the failure path (where r0=0 and the program returns to the caller), ensuring proper validation and handling of these cases.

Impact Analysis

This vulnerability relates to the Linux kernel's BPF subsystem, specifically the handling of ld_{abs,ind} instructions in subprograms. The issue involves improper simulation of failure paths during packet data loads, which could lead to incorrect verification of BPF programs. This might result in unexpected behavior or security issues when running BPF programs that rely on these instructions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53090. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart